Ldap – SSSD & LDAP authentication

authenticationldapsssd

I’m currently working on deploying OpenLDAP and SSSD for authentication. When I try to id a user that is stored within LDAP I get the response no such user.

The user has been added to LDAP correctly and I can perform an ldapsearch –ZZ and find the user.

I have tried running sssd –i –d9 and get the following response when trying to id the user:

[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:ldaptest@LDAP]
[sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][4097][1][name=ldaptest]
[sssd[nss]] [sbus_add_timeout] (0x2000): 0x22e3960
[sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:ldaptest@LDAP]
[sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xcfac90
[sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
[sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
[sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo]
[sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=ldaptest]
[sssd[be[LDAP]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
[sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP]
[sssd[nss]] [sbus_remove_timeout] (0x2000): 0x22e3960
[sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x22db230
[sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - offline
[sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
[sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:1:ldaptest@LDAP]
[sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22da6d0][20]


[sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'hostname' as 'not working'
[sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 636 of duplicate server 'hostname' as 'not working'
[sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
[sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'hostname' is 'name resolved'
[sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 636 for server 'hostname' is 'not working'
[sssd[be[LDAP]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
[sssd[be[LDAP]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
[sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
[sssd[be[LDAP]]] [be_mark_offline] (0x2000): Going offline!
[sssd[be[LDAP]]] [be_ptask_create] (0x0400): Periodic task [Check if online (periodic)] was created
[sssd[be[LDAP]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 78 seconds from now [1438098389]
[sssd[be[LDAP]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
[sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
[sssd[nss]] [sbus_remove_timeout] (0x2000): 0xe6d960
[sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0xe65230
[sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Offline
[sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider

The hostname hostname resolves, the port 636 is definitely open (have turned iptables off and also able to telnet)

The following is my sssd config file:

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]
filter_users = root, ldap, named

[pam]

# LDAP domain
[domain/LDAP]

ldap_tls_reqcert = demand
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=test,dc=domain
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = true
chpass_provider = ldap
ldap_uri = ldaps://hostname:636/
ldap_chpass_uri = ldaps://hostname:636/
cache_credentials = true
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(object)(object))

I have been unsuccessful in finding answers in Google. Any pointers towards a solution would be greatly appreciated.

Many Thanks.

Best Answer

ldap_id_use_start_tls = true

is definitely wrong.

In order to crypt your network traffic to LDAP you have to choices:

  • Older SSL on port 636
  • Newer StartTLS on port 389 (connection starts in plain then upgrades to TLS)

StartTLS and SSL are mutally exclusive.

Try removing the offending line.

Related Topic